sys/opencrypto/cryptosoft.c

   1 /*      $OpenBSD: cryptosoft.c,v 1.35 2002/04/26 08:43:50 deraadt Exp $ */
   2
   3 /*-
   4  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
   5  *
   6  * This code was written by Angelos D. Keromytis in Athens, Greece, in
   7  * February 2000. Network Security Technologies Inc. (NSTI) kindly
   8  * supported the development of this code.
   9  *
  10  * Copyright (c) 2000, 2001 Angelos D. Keromytis
  11  *
  12  * Permission to use, copy, and modify this software with or without fee
  13  * is hereby granted, provided that this entire notice is included in
  14  * all source code copies of any software which is or includes a copy or
  15  * modification of this software.
  16  *
  17  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
  18  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
  19  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
  20  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
  21  * PURPOSE.
  22  */
  23
  24 #include <sys/cdefs.h>
  25 __FBSDID("$FreeBSD$");
  26
  27 #include <sys/param.h>
  28 #include <sys/systm.h>
  29 #include <sys/malloc.h>
  30 #include <sys/mbuf.h>
  31 #include <sys/sysctl.h>
  32 #include <sys/errno.h>
  33 #include <sys/random.h>
  34 #include <sys/kernel.h>
  35 #include <sys/uio.h>
  36
  37 #include <crypto/blowfish/blowfish.h>
  38 #include <crypto/sha1.h>
  39 #include <opencrypto/rmd160.h>
  40 #include <opencrypto/cast.h>
  41 #include <opencrypto/skipjack.h>
  42 #include <sys/md5.h>
  43
  44 #include <opencrypto/cryptodev.h>
  45 #include <opencrypto/cryptosoft.h>
  46 #include <opencrypto/xform.h>
  47
  48 u_int8_t *hmac_ipad_buffer;
  49 u_int8_t *hmac_opad_buffer;
  50
  51 struct swcr_data **swcr_sessions = NULL;
  52 u_int32_t swcr_sesnum = 0;
  53 int32_t swcr_id = -1;
  54
  55 #define COPYBACK(type, buf, off, size, in)      do {                    \
  56         switch (type) {                                                 \
  57         case CRYPTO_BUF_CONTIG:                                         \
  58                 bcopy(in, (u_char *)(buf) + (off), size);               \
  59                 break;                                                  \
  60         case CRYPTO_BUF_MBUF:                                           \
  61                 m_copyback((struct mbuf *)(buf), off, size, in);        \
  62                 break;                                                  \
  63         case CRYPTO_BUF_IOV:                                            \
  64                 cuio_copyback((struct uio *)(buf), off, size, in);      \
  65                 break;                                                  \
  66         }                                                               \
  67 } while (0)
  68 #define COPYDATA(type, buf, off, size, out)     do {                    \
  69         switch (type) {                                                 \
  70         case CRYPTO_BUF_CONTIG:                                         \
  71                 bcopy((u_char *)(buf) + (off), out, size);              \
  72                 break;                                                  \
  73         case CRYPTO_BUF_MBUF:                                           \
  74                 m_copydata((struct mbuf *)(buf), off, size, out);       \
  75                 break;                                                  \
  76         case CRYPTO_BUF_IOV:                                            \
  77                 cuio_copydata((struct uio *)(buf), off, size, out);     \
  78                 break;                                                  \
  79         }                                                               \
  80 } while (0)
  81
  82 static  int swcr_encdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
  83 static  int swcr_authcompute(struct cryptodesc *crd, struct swcr_data *sw,
  84                              caddr_t buf, int outtype);
  85 static  int swcr_compdec(struct cryptodesc *, struct swcr_data *, caddr_t, int);
  86 static  int swcr_process(void *, struct cryptop *, int);
  87 static  int swcr_newsession(void *, u_int32_t *, struct cryptoini *);
  88 static  int swcr_freesession(void *, u_int64_t);
  89
  90 /*
  91  * Apply a symmetric encryption/decryption algorithm.
  92  */
  93 static int
  94 swcr_encdec(struct cryptodesc *crd, struct swcr_data *sw, caddr_t buf,
  95     int outtype)
  96 {
  97         unsigned char iv[EALG_MAX_BLOCK_LEN], blk[EALG_MAX_BLOCK_LEN], *idat;
  98         unsigned char *ivp, piv[EALG_MAX_BLOCK_LEN];
  99         struct enc_xform *exf;
 100         int i, k, j, blks;
 101
 102         exf = sw->sw_exf;
 103         blks = exf->blocksize;
 104
 105         /* Check for non-padded data */
 106         if (crd->crd_len % blks)
 107                 return EINVAL;
 108
 109         /* Initialize the IV */
 110         if (crd->crd_flags & CRD_F_ENCRYPT) {
 111                 /* IV explicitly provided ? */
 112                 if (crd->crd_flags & CRD_F_IV_EXPLICIT)
 113                         bcopy(crd->crd_iv, iv, blks);
 114                 else
 115                         arc4rand(iv, blks, 0);
 116
 117                 /* Do we need to write the IV */
 118                 if (!(crd->crd_flags & CRD_F_IV_PRESENT)) {
 119                         COPYBACK(outtype, buf, crd->crd_inject, blks, iv);
 120                 }
 121
 122         } else {        /* Decryption */
 123                         /* IV explicitly provided ? */
 124                 if (crd->crd_flags & CRD_F_IV_EXPLICIT)
 125                         bcopy(crd->crd_iv, iv, blks);
 126                 else {
 127                         /* Get IV off buf */
 128                         COPYDATA(outtype, buf, crd->crd_inject, blks, iv);
 129                 }
 130         }
 131
 132         if (crd->crd_flags & CRD_F_KEY_EXPLICIT) {
 133                 int error;
 134
 135                 if (sw->sw_kschedule)
 136                         exf->zerokey(&(sw->sw_kschedule));
 137                 error = exf->setkey(&sw->sw_kschedule,
 138                                 crd->crd_key, crd->crd_klen / 8);
 139                 if (error)
 140                         return (error);
 141         }
 142         ivp = iv;
 143
 144         if (outtype == CRYPTO_BUF_CONTIG) {
 145                 if (crd->crd_flags & CRD_F_ENCRYPT) {
 146                         for (i = crd->crd_skip;
 147                             i < crd->crd_skip + crd->crd_len; i += blks) {
 148                                 /* XOR with the IV/previous block, as appropriate. */
 149                                 if (i == crd->crd_skip)
 150                                         for (k = 0; k < blks; k++)
 151                                                 buf[i + k] ^= ivp[k];
 152                                 else
 153                                         for (k = 0; k < blks; k++)
 154                                                 buf[i + k] ^= buf[i + k - blks];
 155                                 exf->encrypt(sw->sw_kschedule, buf + i);
 156                         }
 157                 } else {                /* Decrypt */
 158                         /*
 159                          * Start at the end, so we don't need to keep the encrypted
 160                          * block as the IV for the next block.
 161                          */
 162                         for (i = crd->crd_skip + crd->crd_len - blks;
 163                             i >= crd->crd_skip; i -= blks) {
 164                                 exf->decrypt(sw->sw_kschedule, buf + i);
 165
 166                                 /* XOR with the IV/previous block, as appropriate */
 167                                 if (i == crd->crd_skip)
 168                                         for (k = 0; k < blks; k++)
 169                                                 buf[i + k] ^= ivp[k];
 170                                 else
 171                                         for (k = 0; k < blks; k++)
 172                                                 buf[i + k] ^= buf[i + k - blks];
 173                         }
 174                 }
 175
 176                 return 0;
 177         } else if (outtype == CRYPTO_BUF_MBUF) {
 178                 struct mbuf *m = (struct mbuf *) buf;
 179
 180                 /* Find beginning of data */
 181                 m = m_getptr(m, crd->crd_skip, &k);
 182                 if (m == NULL)
 183                         return EINVAL;
 184
 185                 i = crd->crd_len;
 186
 187                 while (i > 0) {
 188                         /*
 189                          * If there's insufficient data at the end of
 190                          * an mbuf, we have to do some copying.
 191                          */
 192                         if (m->m_len < k + blks && m->m_len != k) {
 193                                 m_copydata(m, k, blks, blk);
 194
 195                                 /* Actual encryption/decryption */
 196                                 if (crd->crd_flags & CRD_F_ENCRYPT) {
 197                                         /* XOR with previous block */
 198                                         for (j = 0; j < blks; j++)
 199                                                 blk[j] ^= ivp[j];
 200
 201                                         exf->encrypt(sw->sw_kschedule, blk);
 202
 203                                         /*
 204                                          * Keep encrypted block for XOR'ing
 205                                          * with next block
 206                                          */
 207                                         bcopy(blk, iv, blks);
 208                                         ivp = iv;
 209                                 } else {        /* decrypt */
 210                                         /*
 211                                          * Keep encrypted block for XOR'ing
 212                                          * with next block
 213                                          */
 214                                         if (ivp == iv)
 215                                                 bcopy(blk, piv, blks);
 216                                         else
 217                                                 bcopy(blk, iv, blks);
 218
 219                                         exf->decrypt(sw->sw_kschedule, blk);
 220
 221                                         /* XOR with previous block */
 222                                         for (j = 0; j < blks; j++)
 223                                                 blk[j] ^= ivp[j];
 224
 225                                         if (ivp == iv)
 226                                                 bcopy(piv, iv, blks);
 227                                         else
 228                                                 ivp = iv;
 229                                 }
 230
 231                                 /* Copy back decrypted block */
 232                                 m_copyback(m, k, blks, blk);
 233
 234                                 /* Advance pointer */
 235                                 m = m_getptr(m, k + blks, &k);
 236                                 if (m == NULL)
 237                                         return EINVAL;
 238
 239                                 i -= blks;
 240
 241                                 /* Could be done... */
 242                                 if (i == 0)
 243                                         break;
 244                         }
 245
 246                         /* Skip possibly empty mbufs */
 247                         if (k == m->m_len) {
 248                                 for (m = m->m_next; m && m->m_len == 0;
 249                                     m = m->m_next)
 250                                         ;
 251                                 k = 0;
 252                         }
 253
 254                         /* Sanity check */
 255                         if (m == NULL)
 256                                 return EINVAL;
 257
 258                         /*
 259                          * Warning: idat may point to garbage here, but
 260                          * we only use it in the while() loop, only if
 261                          * there are indeed enough data.
 262                          */
 263                         idat = mtod(m, unsigned char *) + k;
 264
 265                         while (m->m_len >= k + blks && i > 0) {
 266                                 if (crd->crd_flags & CRD_F_ENCRYPT) {
 267                                         /* XOR with previous block/IV */
 268                                         for (j = 0; j < blks; j++)
 269                                                 idat[j] ^= ivp[j];
 270
 271                                         exf->encrypt(sw->sw_kschedule, idat);
 272                                         ivp = idat;
 273                                 } else {        /* decrypt */
 274                                         /*
 275                                          * Keep encrypted block to be used
 276                                          * in next block's processing.
 277                                          */
 278                                         if (ivp == iv)
 279                                                 bcopy(idat, piv, blks);
 280                                         else
 281                                                 bcopy(idat, iv, blks);
 282
 283                                         exf->decrypt(sw->sw_kschedule, idat);
 284
 285                                         /* XOR with previous block/IV */
 286                                         for (j = 0; j < blks; j++)
 287                                                 idat[j] ^= ivp[j];
 288
 289                                         if (ivp == iv)
 290                                                 bcopy(piv, iv, blks);
 291                                         else
 292                                                 ivp = iv;
 293                                 }
 294
 295                                 idat += blks;
 296                                 k += blks;
 297                                 i -= blks;
 298                         }
 299                 }
 300
 301                 return 0; /* Done with mbuf encryption/decryption */
 302         } else if (outtype == CRYPTO_BUF_IOV) {
 303                 struct uio *uio = (struct uio *) buf;
 304                 struct iovec *iov;
 305
 306                 /* Find beginning of data */
 307                 iov = cuio_getptr(uio, crd->crd_skip, &k);
 308                 if (iov == NULL)
 309                         return EINVAL;
 310
 311                 i = crd->crd_len;
 312
 313                 while (i > 0) {
 314                         /*
 315                          * If there's insufficient data at the end of
 316                          * an iovec, we have to do some copying.
 317                          */
 318                         if (iov->iov_len < k + blks && iov->iov_len != k) {
 319                                 cuio_copydata(uio, k, blks, blk);
 320
 321                                 /* Actual encryption/decryption */
 322                                 if (crd->crd_flags & CRD_F_ENCRYPT) {
 323                                         /* XOR with previous block */
 324                                         for (j = 0; j < blks; j++)
 325                                                 blk[j] ^= ivp[j];
 326
 327                                         exf->encrypt(sw->sw_kschedule, blk);
 328
 329                                         /*
 330                                          * Keep encrypted block for XOR'ing
 331                                          * with next block
 332                                          */
 333                                         bcopy(blk, iv, blks);
 334                                         ivp = iv;
 335                                 } else {        /* decrypt */
 336                                         /*
 337                                          * Keep encrypted block for XOR'ing
 338                                          * with next block
 339                                          */
 340                                         if (ivp == iv)
 341                                                 bcopy(blk, piv, blks);
 342                                         else
 343                                                 bcopy(blk, iv, blks);
 344
 345                                         exf->decrypt(sw->sw_kschedule, blk);
 346
 347                                         /* XOR with previous block */
 348                                         for (j = 0; j < blks; j++)
 349                                                 blk[j] ^= ivp[j];
 350
 351                                         if (ivp == iv)
 352                                                 bcopy(piv, iv, blks);
 353                                         else
 354                                                 ivp = iv;
 355                                 }
 356
 357                                 /* Copy back decrypted block */
 358                                 cuio_copyback(uio, k, blks, blk);
 359
 360                                 /* Advance pointer */
 361                                 iov = cuio_getptr(uio, k + blks, &k);
 362                                 if (iov == NULL)
 363                                         return EINVAL;
 364
 365                                 i -= blks;
 366
 367                                 /* Could be done... */
 368                                 if (i == 0)
 369                                         break;
 370                         }
 371
 372                         /*
 373                          * Warning: idat may point to garbage here, but
 374                          * we only use it in the while() loop, only if
 375                          * there are indeed enough data.
 376                          */
 377                         idat = (char *)iov->iov_base + k;
 378
 379                         while (iov->iov_len >= k + blks && i > 0) {
 380                                 if (crd->crd_flags & CRD_F_ENCRYPT) {
 381                                         /* XOR with previous block/IV */
 382                                         for (j = 0; j < blks; j++)
 383                                                 idat[j] ^= ivp[j];
 384
 385                                         exf->encrypt(sw->sw_kschedule, idat);
 386                                         ivp = idat;
 387                                 } else {        /* decrypt */
 388                                         /*
 389                                          * Keep encrypted block to be used
 390                                          * in next block's processing.
 391                                          */
 392                                         if (ivp == iv)
 393                                                 bcopy(idat, piv, blks);
 394                                         else
 395                                                 bcopy(idat, iv, blks);
 396
 397                                         exf->decrypt(sw->sw_kschedule, idat);
 398
 399                                         /* XOR with previous block/IV */
 400                                         for (j = 0; j < blks; j++)
 401                                                 idat[j] ^= ivp[j];
 402
 403                                         if (ivp == iv)
 404                                                 bcopy(piv, iv, blks);
 405                                         else
 406                                                 ivp = iv;
 407                                 }
 408
 409                                 idat += blks;
 410                                 k += blks;
 411                                 i -= blks;
 412                         }
 413                 }
 414
 415                 return 0; /* Done with iovec encryption/decryption */
 416         }
 417
 418         /* Unreachable */
 419         return EINVAL;
 420 }
 421
 422 static void
 423 swcr_authprepare(struct auth_hash *axf, struct swcr_data *sw, u_char *key,
 424     int klen)
 425 {
 426         int k;
 427
 428         klen /= 8;
 429
 430         switch (axf->type) {
 431         case CRYPTO_MD5_HMAC:
 432         case CRYPTO_SHA1_HMAC:
 433         case CRYPTO_SHA2_256_HMAC:
 434         case CRYPTO_SHA2_384_HMAC:
 435         case CRYPTO_SHA2_512_HMAC:
 436         case CRYPTO_NULL_HMAC:
 437         case CRYPTO_RIPEMD160_HMAC:
 438                 for (k = 0; k < klen; k++)
 439                         key[k] ^= HMAC_IPAD_VAL;
 440
 441                 axf->Init(sw->sw_ictx);
 442                 axf->Update(sw->sw_ictx, key, klen);
 443                 axf->Update(sw->sw_ictx, hmac_ipad_buffer, axf->blocksize - klen);
 444
 445                 for (k = 0; k < klen; k++)
 446                         key[k] ^= (HMAC_IPAD_VAL ^ HMAC_OPAD_VAL);
 447
 448                 axf->Init(sw->sw_octx);
 449                 axf->Update(sw->sw_octx, key, klen);
 450                 axf->Update(sw->sw_octx, hmac_opad_buffer, axf->blocksize - klen);
 451
 452                 for (k = 0; k < klen; k++)
 453                         key[k] ^= HMAC_OPAD_VAL;
 454                 break;
 455         case CRYPTO_MD5_KPDK:
 456         case CRYPTO_SHA1_KPDK:
 457                 sw->sw_klen = klen;
 458                 bcopy(key, sw->sw_octx, klen);
 459                 axf->Init(sw->sw_ictx);
 460                 axf->Update(sw->sw_ictx, key, klen);
 461                 axf->Final(NULL, sw->sw_ictx);
 462                 break;
 463         default:
 464                 printf("%s: CRD_F_KEY_EXPLICIT flag given, but algorithm %d "
 465                     "doesn't use keys.\n", __func__, axf->type);
 466         }
 467 }
 468
 469 /*
 470  * Compute keyed-hash authenticator.
 471  */
 472 static int
 473 swcr_authcompute(struct cryptodesc *crd, struct swcr_data *sw, caddr_t buf,
 474     int outtype)
 475 {
 476         unsigned char aalg[AALG_MAX_RESULT_LEN];
 477         struct auth_hash *axf;
 478         union authctx ctx;
 479         int err;
 480
 481         if (sw->sw_ictx == 0)
 482                 return EINVAL;
 483
 484         axf = sw->sw_axf;
 485
 486         if (crd->crd_flags & CRD_F_KEY_EXPLICIT)
 487                 swcr_authprepare(axf, sw, crd->crd_key, crd->crd_klen);
 488
 489         bcopy(sw->sw_ictx, &ctx, axf->ctxsize);
 490
 491         switch (outtype) {
 492         case CRYPTO_BUF_CONTIG:
 493                 axf->Update(&ctx, buf + crd->crd_skip, crd->crd_len);
 494                 break;
 495         case CRYPTO_BUF_MBUF:
 496                 err = m_apply((struct mbuf *) buf, crd->crd_skip, crd->crd_len,
 497                     (int (*)(void *, void *, unsigned int)) axf->Update,
 498                     (caddr_t) &ctx);
 499                 if (err)
 500                         return err;
 501                 break;
 502         case CRYPTO_BUF_IOV:
 503                 err = cuio_apply((struct uio *) buf, crd->crd_skip, crd->crd_len,
 504                     (int (*)(void *, void *, unsigned int)) axf->Update,
 505                     (caddr_t) &ctx);
 506                 if (err)
 507                         return err;
 508                 break;
 509         default:
 510                 return EINVAL;
 511         }
 512
 513         switch (sw->sw_alg) {
 514         case CRYPTO_MD5_HMAC:
 515         case CRYPTO_SHA1_HMAC:
 516         case CRYPTO_SHA2_256_HMAC:
 517         case CRYPTO_SHA2_384_HMAC:
 518         case CRYPTO_SHA2_512_HMAC:
 519         case CRYPTO_RIPEMD160_HMAC:
 520                 if (sw->sw_octx == NULL)
 521                         return EINVAL;
 522
 523                 axf->Final(aalg, &ctx);
 524                 bcopy(sw->sw_octx, &ctx, axf->ctxsize);
 525                 axf->Update(&ctx, aalg, axf->hashsize);
 526                 axf->Final(aalg, &ctx);
 527                 break;
 528
 529         case CRYPTO_MD5_KPDK:
 530         case CRYPTO_SHA1_KPDK:
 531                 if (sw->sw_octx == NULL)
 532                         return EINVAL;
 533
 534                 axf->Update(&ctx, sw->sw_octx, sw->sw_klen);
 535                 axf->Final(aalg, &ctx);
 536                 break;
 537
 538         case CRYPTO_NULL_HMAC:
 539                 axf->Final(aalg, &ctx);
 540                 break;
 541         }
 542
 543         /* Inject the authentication data */
 544         COPYBACK(outtype, buf, crd->crd_inject,
 545             sw->sw_mlen == 0 ? axf->hashsize : sw->sw_mlen, aalg);
 546         return 0;
 547 }
 548
 549 /*
 550  * Apply a compression/decompression algorithm
 551  */
 552 static int
 553 swcr_compdec(struct cryptodesc *crd, struct swcr_data *sw,
 554     caddr_t buf, int outtype)
 555 {
 556         u_int8_t *data, *out;
 557         struct comp_algo *cxf;
 558         int adj;
 559         u_int32_t result;
 560
 561         cxf = sw->sw_cxf;
 562
 563         /* We must handle the whole buffer of data in one time
 564          * then if there is not all the data in the mbuf, we must
 565          * copy in a buffer.
 566          */
 567
 568         MALLOC(data, u_int8_t *, crd->crd_len, M_CRYPTO_DATA,  M_NOWAIT);
 569         if (data == NULL)
 570                 return (EINVAL);
 571         COPYDATA(outtype, buf, crd->crd_skip, crd->crd_len, data);
 572
 573         if (crd->crd_flags & CRD_F_COMP)
 574                 result = cxf->compress(data, crd->crd_len, &out);
 575         else
 576                 result = cxf->decompress(data, crd->crd_len, &out);
 577
 578         FREE(data, M_CRYPTO_DATA);
 579         if (result == 0)
 580                 return EINVAL;
 581
 582         /* Copy back the (de)compressed data. m_copyback is
 583          * extending the mbuf as necessary.
 584          */
 585         sw->sw_size = result;
 586         /* Check the compressed size when doing compression */
 587         if (crd->crd_flags & CRD_F_COMP) {
 588                 if (result > crd->crd_len) {
 589                         /* Compression was useless, we lost time */
 590                         FREE(out, M_CRYPTO_DATA);
 591                         return 0;
 592                 }
 593         }
 594
 595         COPYBACK(outtype, buf, crd->crd_skip, result, out);
 596         if (result < crd->crd_len) {
 597                 adj = result - crd->crd_len;
 598                 if (outtype == CRYPTO_BUF_MBUF) {
 599                         adj = result - crd->crd_len;
 600                         m_adj((struct mbuf *)buf, adj);
 601                 } else {
 602                         struct uio *uio = (struct uio *)buf;
 603                         int ind;
 604
 605                         adj = crd->crd_len - result;
 606                         ind = uio->uio_iovcnt - 1;
 607
 608                         while (adj > 0 && ind >= 0) {
 609                                 if (adj < uio->uio_iov[ind].iov_len) {
 610                                         uio->uio_iov[ind].iov_len -= adj;
 611                                         break;
 612                                 }
 613
 614                                 adj -= uio->uio_iov[ind].iov_len;
 615                                 uio->uio_iov[ind].iov_len = 0;
 616                                 ind--;
 617                                 uio->uio_iovcnt--;
 618                         }
 619                 }
 620         }
 621         FREE(out, M_CRYPTO_DATA);
 622         return 0;
 623 }
 624
 625 /*
 626  * Generate a new software session.
 627  */
 628 static int
 629 swcr_newsession(void *arg, u_int32_t *sid, struct cryptoini *cri)
 630 {
 631         struct swcr_data **swd;
 632         struct auth_hash *axf;
 633         struct enc_xform *txf;
 634         struct comp_algo *cxf;
 635         u_int32_t i;
 636         int error;
 637
 638         if (sid == NULL || cri == NULL)
 639                 return EINVAL;
 640
 641         if (swcr_sessions) {
 642                 for (i = 1; i < swcr_sesnum; i++)
 643                         if (swcr_sessions[i] == NULL)
 644                                 break;
 645         } else
 646                 i = 1;          /* NB: to silence compiler warning */
 647
 648         if (swcr_sessions == NULL || i == swcr_sesnum) {
 649                 if (swcr_sessions == NULL) {
 650                         i = 1; /* We leave swcr_sessions[0] empty */
 651                         swcr_sesnum = CRYPTO_SW_SESSIONS;
 652                 } else
 653                         swcr_sesnum *= 2;
 654
 655                 swd = malloc(swcr_sesnum * sizeof(struct swcr_data *),
 656                     M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
 657                 if (swd == NULL) {
 658                         /* Reset session number */
 659                         if (swcr_sesnum == CRYPTO_SW_SESSIONS)
 660                                 swcr_sesnum = 0;
 661                         else
 662                                 swcr_sesnum /= 2;
 663                         return ENOBUFS;
 664                 }
 665
 666                 /* Copy existing sessions */
 667                 if (swcr_sessions) {
 668                         bcopy(swcr_sessions, swd,
 669                             (swcr_sesnum / 2) * sizeof(struct swcr_data *));
 670                         free(swcr_sessions, M_CRYPTO_DATA);
 671                 }
 672
 673                 swcr_sessions = swd;
 674         }
 675
 676         swd = &swcr_sessions[i];
 677         *sid = i;
 678
 679         while (cri) {
 680                 MALLOC(*swd, struct swcr_data *, sizeof(struct swcr_data),
 681                     M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
 682                 if (*swd == NULL) {
 683                         swcr_freesession(NULL, i);
 684                         return ENOBUFS;
 685                 }
 686
 687                 switch (cri->cri_alg) {
 688                 case CRYPTO_DES_CBC:
 689                         txf = &enc_xform_des;
 690                         goto enccommon;
 691                 case CRYPTO_3DES_CBC:
 692                         txf = &enc_xform_3des;
 693                         goto enccommon;
 694                 case CRYPTO_BLF_CBC:
 695                         txf = &enc_xform_blf;
 696                         goto enccommon;
 697                 case CRYPTO_CAST_CBC:
 698                         txf = &enc_xform_cast5;
 699                         goto enccommon;
 700                 case CRYPTO_SKIPJACK_CBC:
 701                         txf = &enc_xform_skipjack;
 702                         goto enccommon;
 703                 case CRYPTO_RIJNDAEL128_CBC:
 704                         txf = &enc_xform_rijndael128;
 705                         goto enccommon;
 706                 case CRYPTO_NULL_CBC:
 707                         txf = &enc_xform_null;
 708                         goto enccommon;
 709                 enccommon:
 710                         if (cri->cri_key != NULL) {
 711                                 error = txf->setkey(&((*swd)->sw_kschedule),
 712                                     cri->cri_key, cri->cri_klen / 8);
 713                                 if (error) {
 714                                         swcr_freesession(NULL, i);
 715                                         return error;
 716                                 }
 717                         }
 718                         (*swd)->sw_exf = txf;
 719                         break;
 720
 721                 case CRYPTO_MD5_HMAC:
 722                         axf = &auth_hash_hmac_md5;
 723                         goto authcommon;
 724                 case CRYPTO_SHA1_HMAC:
 725                         axf = &auth_hash_hmac_sha1;
 726                         goto authcommon;
 727                 case CRYPTO_SHA2_256_HMAC:
 728                         axf = &auth_hash_hmac_sha2_256;
 729                         goto authcommon;
 730                 case CRYPTO_SHA2_384_HMAC:
 731                         axf = &auth_hash_hmac_sha2_384;
 732                         goto authcommon;
 733                 case CRYPTO_SHA2_512_HMAC:
 734                         axf = &auth_hash_hmac_sha2_512;
 735                         goto authcommon;
 736                 case CRYPTO_NULL_HMAC:
 737                         axf = &auth_hash_null;
 738                         goto authcommon;
 739                 case CRYPTO_RIPEMD160_HMAC:
 740                         axf = &auth_hash_hmac_ripemd_160;
 741                 authcommon:
 742                         (*swd)->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
 743                             M_NOWAIT);
 744                         if ((*swd)->sw_ictx == NULL) {
 745                                 swcr_freesession(NULL, i);
 746                                 return ENOBUFS;
 747                         }
 748
 749                         (*swd)->sw_octx = malloc(axf->ctxsize, M_CRYPTO_DATA,
 750                             M_NOWAIT);
 751                         if ((*swd)->sw_octx == NULL) {
 752                                 swcr_freesession(NULL, i);
 753                                 return ENOBUFS;
 754                         }
 755
 756                         if (cri->cri_key != NULL) {
 757                                 swcr_authprepare(axf, *swd, cri->cri_key,
 758                                     cri->cri_klen);
 759                         }
 760
 761                         (*swd)->sw_mlen = cri->cri_mlen;
 762                         (*swd)->sw_axf = axf;
 763                         break;
 764
 765                 case CRYPTO_MD5_KPDK:
 766                         axf = &auth_hash_key_md5;
 767                         goto auth2common;
 768
 769                 case CRYPTO_SHA1_KPDK:
 770                         axf = &auth_hash_key_sha1;
 771                 auth2common:
 772                         (*swd)->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
 773                             M_NOWAIT);
 774                         if ((*swd)->sw_ictx == NULL) {
 775                                 swcr_freesession(NULL, i);
 776                                 return ENOBUFS;
 777                         }
 778
 779                         (*swd)->sw_octx = malloc(cri->cri_klen / 8,
 780                             M_CRYPTO_DATA, M_NOWAIT);
 781                         if ((*swd)->sw_octx == NULL) {
 782                                 swcr_freesession(NULL, i);
 783                                 return ENOBUFS;
 784                         }
 785
 786                         /* Store the key so we can "append" it to the payload */
 787                         if (cri->cri_key != NULL) {
 788                                 swcr_authprepare(axf, *swd, cri->cri_key,
 789                                     cri->cri_klen);
 790                         }
 791
 792                         (*swd)->sw_mlen = cri->cri_mlen;
 793                         (*swd)->sw_axf = axf;
 794                         break;
 795 #ifdef notdef
 796                 case CRYPTO_MD5:
 797                         axf = &auth_hash_md5;
 798                         goto auth3common;
 799
 800                 case CRYPTO_SHA1:
 801                         axf = &auth_hash_sha1;
 802                 auth3common:
 803                         (*swd)->sw_ictx = malloc(axf->ctxsize, M_CRYPTO_DATA,
 804                             M_NOWAIT);
 805                         if ((*swd)->sw_ictx == NULL) {
 806                                 swcr_freesession(NULL, i);
 807                                 return ENOBUFS;
 808                         }
 809
 810                         axf->Init((*swd)->sw_ictx);
 811                         (*swd)->sw_mlen = cri->cri_mlen;
 812                         (*swd)->sw_axf = axf;
 813                         break;
 814 #endif
 815                 case CRYPTO_DEFLATE_COMP:
 816                         cxf = &comp_algo_deflate;
 817                         (*swd)->sw_cxf = cxf;
 818                         break;
 819                 default:
 820                         swcr_freesession(NULL, i);
 821                         return EINVAL;
 822                 }
 823
 824                 (*swd)->sw_alg = cri->cri_alg;
 825                 cri = cri->cri_next;
 826                 swd = &((*swd)->sw_next);
 827         }
 828         return 0;
 829 }
 830
 831 /*
 832  * Free a session.
 833  */
 834 static int
 835 swcr_freesession(void *arg, u_int64_t tid)
 836 {
 837         struct swcr_data *swd;
 838         struct enc_xform *txf;
 839         struct auth_hash *axf;
 840         struct comp_algo *cxf;
 841         u_int32_t sid = CRYPTO_SESID2LID(tid);
 842
 843         if (sid > swcr_sesnum || swcr_sessions == NULL ||
 844             swcr_sessions[sid] == NULL)
 845                 return EINVAL;
 846
 847         /* Silently accept and return */
 848         if (sid == 0)
 849                 return 0;
 850
 851         while ((swd = swcr_sessions[sid]) != NULL) {
 852                 swcr_sessions[sid] = swd->sw_next;
 853
 854                 switch (swd->sw_alg) {
 855                 case CRYPTO_DES_CBC:
 856                 case CRYPTO_3DES_CBC:
 857                 case CRYPTO_BLF_CBC:
 858                 case CRYPTO_CAST_CBC:
 859                 case CRYPTO_SKIPJACK_CBC:
 860                 case CRYPTO_RIJNDAEL128_CBC:
 861                 case CRYPTO_NULL_CBC:
 862                         txf = swd->sw_exf;
 863
 864                         if (swd->sw_kschedule)
 865                                 txf->zerokey(&(swd->sw_kschedule));
 866                         break;
 867
 868                 case CRYPTO_MD5_HMAC:
 869                 case CRYPTO_SHA1_HMAC:
 870                 case CRYPTO_SHA2_256_HMAC:
 871                 case CRYPTO_SHA2_384_HMAC:
 872                 case CRYPTO_SHA2_512_HMAC:
 873                 case CRYPTO_RIPEMD160_HMAC:
 874                 case CRYPTO_NULL_HMAC:
 875                         axf = swd->sw_axf;
 876
 877                         if (swd->sw_ictx) {
 878                                 bzero(swd->sw_ictx, axf->ctxsize);
 879                                 free(swd->sw_ictx, M_CRYPTO_DATA);
 880                         }
 881                         if (swd->sw_octx) {
 882                                 bzero(swd->sw_octx, axf->ctxsize);
 883                                 free(swd->sw_octx, M_CRYPTO_DATA);
 884                         }
 885                         break;
 886
 887                 case CRYPTO_MD5_KPDK:
 888                 case CRYPTO_SHA1_KPDK:
 889                         axf = swd->sw_axf;
 890
 891                         if (swd->sw_ictx) {
 892                                 bzero(swd->sw_ictx, axf->ctxsize);
 893                                 free(swd->sw_ictx, M_CRYPTO_DATA);
 894                         }
 895                         if (swd->sw_octx) {
 896                                 bzero(swd->sw_octx, swd->sw_klen);
 897                                 free(swd->sw_octx, M_CRYPTO_DATA);
 898                         }
 899                         break;
 900
 901                 case CRYPTO_MD5:
 902                 case CRYPTO_SHA1:
 903                         axf = swd->sw_axf;
 904
 905                         if (swd->sw_ictx)
 906                                 free(swd->sw_ictx, M_CRYPTO_DATA);
 907                         break;
 908
 909                 case CRYPTO_DEFLATE_COMP:
 910                         cxf = swd->sw_cxf;
 911                         break;
 912                 }
 913
 914                 FREE(swd, M_CRYPTO_DATA);
 915         }
 916         return 0;
 917 }
 918
 919 /*
 920  * Process a software request.
 921  */
 922 static int
 923 swcr_process(void *arg, struct cryptop *crp, int hint)
 924 {
 925         struct cryptodesc *crd;
 926         struct swcr_data *sw;
 927         u_int32_t lid;
 928         int type;
 929
 930         /* Sanity check */
 931         if (crp == NULL)
 932                 return EINVAL;
 933
 934         if (crp->crp_desc == NULL || crp->crp_buf == NULL) {
 935                 crp->crp_etype = EINVAL;
 936                 goto done;
 937         }
 938
 939         lid = crp->crp_sid & 0xffffffff;
 940         if (lid >= swcr_sesnum || lid == 0 || swcr_sessions[lid] == NULL) {
 941                 crp->crp_etype = ENOENT;
 942                 goto done;
 943         }
 944
 945         if (crp->crp_flags & CRYPTO_F_IMBUF) {
 946                 type = CRYPTO_BUF_MBUF;
 947         } else if (crp->crp_flags & CRYPTO_F_IOV) {
 948                 type = CRYPTO_BUF_IOV;
 949         } else {
 950                 type = CRYPTO_BUF_CONTIG;
 951         }
 952
 953         /* Go through crypto descriptors, processing as we go */
 954         for (crd = crp->crp_desc; crd; crd = crd->crd_next) {
 955                 /*
 956                  * Find the crypto context.
 957                  *
 958                  * XXX Note that the logic here prevents us from having
 959                  * XXX the same algorithm multiple times in a session
 960                  * XXX (or rather, we can but it won't give us the right
 961                  * XXX results). To do that, we'd need some way of differentiating
 962                  * XXX between the various instances of an algorithm (so we can
 963                  * XXX locate the correct crypto context).
 964                  */
 965                 for (sw = swcr_sessions[lid];
 966                     sw && sw->sw_alg != crd->crd_alg;
 967                     sw = sw->sw_next)
 968                         ;
 969
 970                 /* No such context ? */
 971                 if (sw == NULL) {
 972                         crp->crp_etype = EINVAL;
 973                         goto done;
 974                 }
 975                 switch (sw->sw_alg) {
 976                 case CRYPTO_DES_CBC:
 977                 case CRYPTO_3DES_CBC:
 978                 case CRYPTO_BLF_CBC:
 979                 case CRYPTO_CAST_CBC:
 980                 case CRYPTO_SKIPJACK_CBC:
 981                 case CRYPTO_RIJNDAEL128_CBC:
 982                         if ((crp->crp_etype = swcr_encdec(crd, sw,
 983                             crp->crp_buf, type)) != 0)
 984                                 goto done;
 985                         break;
 986                 case CRYPTO_NULL_CBC:
 987                         crp->crp_etype = 0;
 988                         break;
 989                 case CRYPTO_MD5_HMAC:
 990                 case CRYPTO_SHA1_HMAC:
 991                 case CRYPTO_SHA2_256_HMAC:
 992                 case CRYPTO_SHA2_384_HMAC:
 993                 case CRYPTO_SHA2_512_HMAC:
 994                 case CRYPTO_RIPEMD160_HMAC:
 995                 case CRYPTO_NULL_HMAC:
 996                 case CRYPTO_MD5_KPDK:
 997                 case CRYPTO_SHA1_KPDK:
 998                 case CRYPTO_MD5:
 999                 case CRYPTO_SHA1:
1000                         if ((crp->crp_etype = swcr_authcompute(crd, sw,
1001                             crp->crp_buf, type)) != 0)
1002                                 goto done;
1003                         break;
1004
1005                 case CRYPTO_DEFLATE_COMP:
1006                         if ((crp->crp_etype = swcr_compdec(crd, sw,
1007                             crp->crp_buf, type)) != 0)
1008                                 goto done;
1009                         else
1010                                 crp->crp_olen = (int)sw->sw_size;
1011                         break;
1012
1013                 default:
1014                         /* Unknown/unsupported algorithm */
1015                         crp->crp_etype = EINVAL;
1016                         goto done;
1017                 }
1018         }
1019
1020 done:
1021         crypto_done(crp);
1022         return 0;
1023 }
1024
1025 /*
1026  * Initialize the driver, called from the kernel main().
1027  */
1028 static void
1029 swcr_init(void)
1030 {
1031         u_int i;
1032
1033         hmac_ipad_buffer = malloc(HMAC_BLOCK_MAXLEN, M_CRYPTO_DATA, M_WAITOK);
1034         for (i = 0; i < HMAC_BLOCK_MAXLEN; i++)
1035                 hmac_ipad_buffer[i] = HMAC_IPAD_VAL;
1036         hmac_opad_buffer = malloc(HMAC_BLOCK_MAXLEN, M_CRYPTO_DATA, M_WAITOK);
1037         for (i = 0; i < HMAC_BLOCK_MAXLEN; i++)
1038                 hmac_opad_buffer[i] = HMAC_OPAD_VAL;
1039
1040         swcr_id = crypto_get_driverid(CRYPTOCAP_F_SOFTWARE | CRYPTOCAP_F_SYNC);
1041         if (swcr_id < 0)
1042                 panic("Software crypto device cannot initialize!");
1043         crypto_register(swcr_id, CRYPTO_DES_CBC,
1044             0, 0, swcr_newsession, swcr_freesession, swcr_process, NULL);
1045 #define REGISTER(alg) \
1046         crypto_register(swcr_id, alg, 0,0,NULL,NULL,NULL,NULL)
1047         REGISTER(CRYPTO_3DES_CBC);
1048         REGISTER(CRYPTO_BLF_CBC);
1049         REGISTER(CRYPTO_CAST_CBC);
1050         REGISTER(CRYPTO_SKIPJACK_CBC);
1051         REGISTER(CRYPTO_NULL_CBC);
1052         REGISTER(CRYPTO_MD5_HMAC);
1053         REGISTER(CRYPTO_SHA1_HMAC);
1054         REGISTER(CRYPTO_SHA2_256_HMAC);
1055         REGISTER(CRYPTO_SHA2_384_HMAC);
1056         REGISTER(CRYPTO_SHA2_512_HMAC);
1057         REGISTER(CRYPTO_RIPEMD160_HMAC);
1058         REGISTER(CRYPTO_NULL_HMAC);
1059         REGISTER(CRYPTO_MD5_KPDK);
1060         REGISTER(CRYPTO_SHA1_KPDK);
1061         REGISTER(CRYPTO_MD5);
1062         REGISTER(CRYPTO_SHA1);
1063         REGISTER(CRYPTO_RIJNDAEL128_CBC);
1064         REGISTER(CRYPTO_DEFLATE_COMP);
1065 #undef REGISTER
1066 }
1067 SYSINIT(cryptosoft_init, SI_SUB_PSEUDO, SI_ORDER_ANY, swcr_init, NULL)
1068
1069 static void
1070 swcr_uninit(void)
1071 {
1072
1073         if (swcr_sessions != NULL)
1074                 FREE(swcr_sessions, M_CRYPTO_DATA);
1075         free(hmac_ipad_buffer, M_CRYPTO_DATA);
1076         free(hmac_opad_buffer, M_CRYPTO_DATA);
1077 }
1078 SYSUNINIT(cryptosoft_uninit, SI_SUB_PSEUDO, SI_ORDER_ANY, swcr_uninit, NULL);